phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (58.3 MB)

Episode Duration: 1:03:39
On This Episode: Douglas Bell (Fountain of Apples), Phil Crumm (iWisdom), and Micheal Cottingham (Techie-Micheal), with a brief cameo from David Lewis (Highway of Life)

It’s a developer’s paradise on this episode of phpBB Weekly. phpBB 3.0.5 has been released, the “quite furry” edition, and the first phpBB release since late last year. With a slew of bugfixes, changes, and new features, headlining the bunch is a new CAPTCHA “wave” setting (to help improve over the cracked CAPTCHA from four months ago) and the long-awaited ability for users to refresh the displayed CAPTCHA. Improvements have now been made to the auto-updater as well, so if you haven’t gotten into the habit of using the auto-updater, now is a good time, as Phil explains.

But we’re already looking ahead to 3.0.6, as the Development Team has been busy pouring checkins to Subversion with some new backports from the Ascraeus branch. Included in there is a whole new “plugin” system for the CAPTCHA/Visual Confirmation which should make it easier for third-party CAPTCHAs to be incorporated to phpBB, although it will mean that authors of existing CAPTCHA MODs may have to do some rewriting pretty soon. Also backported is support for software-based caching engines such as XCache and eAccelerator, which should produce better (and somewhat more secure) results than phpBB’s current op-cache based system. (At least, that’s my understanding of it–Phil gives a better explanation of it on the show, and I’m sure he’ll correct me if I got it wrong.)

Finally, the Development Team offers up another relic in the form of the phpBB Code Swarm video, and Douglas performs his uniquely epic take on the video, live on the show (as in NOT pre-recorded and NOT practiced at all). For those of you who are wanting to share it, it starts at the 37:30 timestamp.

Oh, and the Development Team is moving up in the world! TerraFrost, an acquisition from the MOD Team, has been promoted from Junior Developer to full-fledged Developer, and bantu (also from the MOD Team) is now a Junior Developer. Congrats, folks! Not to be outdone (or deprived of all of their members), the MOD Team has some new Junior Validators: Balint, CoC, daroPL, and platinum_2007.

The MOD of the Week is Quote User Back Link by Erik Frerejean, and the Style of the Week is aktif by napy8gen.

Finally, the bonus at the end of the show is the William Tell Overture by Spike Jones (Douglas’ inspiration for his code swarm video interpretation).

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (99.8 MB)

Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.

During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.

However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.

We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.

Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide

There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.

We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.